Establishing VPN Using Easy VPN Remote

Previous page
Table of content
Next page

Establishing a VPN tunnel using Cisco Easy VPN is almost exactly the same process as any VPN tunnel establishment process. However, because you can define and push security policies on the headend VPN device, you must push those parameters to the remote VPN device. In the following sections, we discuss the process of establishing a VPN tunnel using Cisco Easy VPN.

IKE Phase 1 Process Initiation

With Easy VPN, the Easy VPN Remote always initiates tunnel establishment by connecting to the Easy VPN Server. There are two modes in which IKE negotiations can take place, main mode (MM) and aggressive mode (AM). The modes simply determine the number of packet exchanges required between the headend device and the remote device to get the IKE Phase 1 tunnel established.

graphics/alert_icon.gif

If the Easy VPN Remote device is using preshared keys, it uses AM.


Establishing SAs

The Easy VPN Remote device sends all its IKE security proposals (every possible combination) to the Easy VPN Server. It is the Easy VPN Server that decides which of the received security parameters to use.

Acceptance of SA Proposal

The Easy VPN Server chooses which Easy VPN Remote IKE security proposal to accept based on priority levels that you have configured on the Easy VPN Server.

Initiating XAUTH

After the VPN devices agree on security proposals, and after each device performs authentication, XAUTH is initiated. The Easy VPN Server prompts the Easy VPN Remote for a username and password, and if successful, IKE Phase 1 continues.

Initiating Mode Configuration

If XAUTH is successful, the Easy VPN Remote requests mode configuration parameters from the Easy VPN Server. The Easy VPN Server then pushes the parameters to the remote device. These parameters can be items such as DNS information and the IP address.

graphics/alert_icon.gif

When you configure group mode configuration parameters, an IP address is the only required configuration parameter.


Initiating Reverse Route Injection

After the Easy VPN Server assigns an IP address to the Easy VPN Remote device, the Easy VPN Server creates a static route entry in its routing table using RRI. This step ensures that the Easy VPN Remote device is reachable by devices behind the Easy VPN Server.

Connection Establishment

After mode configuration is finished, the next phase of negotiations is the IKE Phase 2 tunnel. The IKE Phase 2 tunnel is synonymous with the IPSec tunnel. Whenever you think of IKE Phase 2, think IPSec tunnel.

The IKE Phase 2 negotiations exchange and agree on IPSec security parameters to establish the IPSec tunnel. Once IKE Phase 2 negotiations are finished, the Easy VPN Remote has established an IPSec tunnel and can now access organization resources.

graphics/alert_icon.gif

IKE Phase 2 negotiation happens using quick mode.



Previous page
Table of content
Next page
CCSP SECUR Exam Cram 2
CCSP SECUR Exam Cram 2 (642-501)
ISBN: B000MU86IQ
EAN: N/A
Year: 2003
Pages: 291
Authors: Raman Sud
BUY ON AMAZON
CISSP Exam Cram 2
Building Web Applications with UML (2nd Edition)
A Practitioners Guide to Software Test Design
Introduction to 80x86 Assembly Language and Computer Architecture
101 Microsoft Visual Basic .NET Applications
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy